Collect Mimecast Secure Email Gateway logs

Supported in:

This document describes how you can collect Mimecast Secure Email Gateway logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MIMECAST_MAIL ingestion label.

Configure Mimecast Secure Email Gateway

  1. Enable logging for the login account.
  2. Create the API application.
  3. Get the application ID and application key.

Enable logging for the login account

  1. Sign in to the Mimecast Administration console.
  2. In the Account menu, click Account Settings.
  3. Expand Enhanced Logging.
  4. Select the types of logs to enable:
    • Inbound: logs messages from external senders to internal recipients.
    • Outbound: logs messages from internal senders to external recipients.
    • Internal: logs messages within internal domains.
  5. Click Save to apply the changes.

Create the API application

  1. Sign in to the Mimecast Administration console.
  2. Click Add API Application.
  3. Enter the following details:
    1. Application name.
    2. Description for the application.
    3. Category: Enter one of the following categories:
      • SIEM Integration: provides real-time analysis of the security alerts generated by the application.
      • MSP Ordering and Provisioning: available for select partners to manage orders in the MSP Portal.
      • Email / Archiving: refers to messages and alerts stored in Mimecast.
      • Business Intelligence: enables application's infrastructure and tools to access and analyse information to improve and optimize decisions and performance.
      • Process Automation: allows for automation of business processes.
      • Other: in case the application doesn't fit within any other category.
  4. Click Next.
  5. In the Settings section, enter the following details:
    • Developer Name: name of the developer of the application.
    • Email: email address of the developer of the application.
  6. Click Next.
  7. Review the information displayed on the Summary Page.
  8. To fix errors, follow these steps:
    • Click Edit buttons next to Details or Settings.
    • Click Next and go to the Summary page again.

Get the application ID and application key

  1. Click Application and then click Services.
  2. Click API Application.
  3. Select the created API application.
  4. View the application details.

Creating API access and secret key

For information about generating access and secret key, see Creating User Association Key.

Configure a feed in Google Security Operations to ingest Mimecast Secure Email Gateway logs

  1. Click SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter the Feed Name.
  4. Select Third Party API as the Source Type.
  5. Select Mimecast as the Log Type to create a feed for Mimecast Secure Email Gateway.
  6. Click Next.
  7. Configure the Authentication HTTP header by providing the application ID, access key, secret ID, and application key.
  8. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts key-value pairs from Mimecast email server logs, categorizes the log entry stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic to handle security-related fields, determining the security result action, category, severity, and related details based on values like Act, RejType, SpamScore, and Virus.

UDM mapping table

Log Field UDM Mapping Logic
acc metadata.product_log_id The value of acc is mapped to metadata.product_log_id.
Act security_result.action If Act is "Acc", the value is "ALLOW". If Act is "Rej", the value is "BLOCK". If Act is "Hld" or "Sdbx", the value is "QUARANTINE".
AttNames about.file.full_path The AttNames field, after removing quotes and spaces, and splitting by commas, is mapped to an array of about.file.full_path objects.
AttSize about.file.size The value of AttSize is converted to an unsigned integer and mapped to about.file.size.
Cphr datetime metadata.event_timestamp The value of datetime is parsed as a timestamp and mapped to metadata.event_timestamp.
Delivered Not Mapped Used to determine the stage and product_event_type.
Definition security_result.summary The value of Definition is mapped to security_result.summary.
Dir network.direction, security_result.detection_fields If Dir is "Internal" or "Inbound", the value is "INBOUND". If Dir is "External" or "Outbound", the value is "OUTBOUND". Also added as a detection field with key "network_direction".
Err security_result.summary The value of Err is mapped to security_result.summary.
Error security_result.summary The value of Error is mapped to security_result.summary.
fileName principal.process.file.full_path The value of fileName is mapped to principal.process.file.full_path.
filename_for_malachite principal.resource.name The value of filename_for_malachite is mapped to principal.resource.name.
headerFrom network.email.from, security_result.detection_fields, principal.user.email_addresses The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also added as a detection field with key "header_from". If neither Sender nor headerFrom are valid email addresses, then headerFrom is not mapped to network.email.from.
IP principal.ip or target.ip The value of IP is mapped to principal.ip if the stage is "RECEIPT" or to target.ip if the stage is "DELIVERY".
Latency md5 MsgId network.email.mail_id The value of MsgId is mapped to network.email.mail_id.
MsgSize network.received_bytes The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes.
Rcpt target.user.email_addresses, network.email.to The value of Rcpt is mapped to target.user.email_addresses and network.email.to.
RcptActType RcptHdrType Recipient network.email.to, target.user.email_addresses The value of Recipient is mapped to network.email.to if Rcpt is not a valid email address.
RejCode security_result.description Contributes to the value of security_result.description in the format "RejCode=".
RejInfo security_result.description Contributes to the value of security_result.description in the format "RejInfo=".
RejType security_result.description, security_result.category, security_result.category_details, security_result.severity Contributes to the value of security_result.description in the format "RejType=". Also used to determine the security_result.category and security_result.severity. Mapped directly to security_result.category_details.
Route security_result.detection_fields Added as a detection field with key "Route".
ScanResultInfo security_result.threat_name The value of ScanResultInfo is mapped to security_result.threat_name.
Sender network.email.from, security_result.detection_fields, principal.user.email_addresses The value of Sender is mapped to network.email.from. Also added as a detection field with key "Sender".
SenderDomain sha1 target.file.sha1 The value of sha1 is mapped to target.file.sha1.
sha256 target.file.sha256 The value of sha256 is mapped to target.file.sha256.
Size Snt network.sent_bytes The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes.
SourceIP principal.ip The value of SourceIP is mapped to principal.ip if the stage is "RECEIPT" and IP is not present.
SpamInfo security_result.severity_details Contributes to the value of security_result.severity_details in the format "SpamInfo=".
SpamLimit security_result.severity_details Contributes to the value of security_result.severity_details in the format "SpamLimit=".
SpamScore security_result.severity_details, security_result.severity Contributes to the value of security_result.severity_details in the format "SpamScore=". Also used to determine the security_result.severity if RejType is not set.
Subject network.email.subject The value of Subject is mapped to network.email.subject.
TlsVer URL UrlCategory UseTls Virus security_result.threat_name The value of Virus is mapped to security_result.threat_name.
N/A metadata.event_type Set to "EMAIL_TRANSACTION" if either Sender or Recipient/Rcpt are valid email addresses, otherwise set to "GENERIC_EVENT".
N/A metadata.vendor_name Always set to "Mimecast".
N/A metadata.product_name Always set to "Mimecast MTA".
N/A metadata.product_event_type Set to "Email ", where stage is determined based on the presence and values of other fields.
N/A metadata.log_type Always set to "MIMECAST_MAIL".
N/A security_result.severity Set to "LOW" if has_sec_result is false. Otherwise, determined by RejType or SpamScore.

Changes

2023-03-31

  • Enhancement-
  • Mapped "filename_for_malachite" to "principal.resource.name".
  • Mapped "fileName" to "principal.process.file.full_path".
  • Mapped "sha256" to "target.file.sha256".
  • Mapped "sha1" to "target.file.sha1".
  • Added conditional check for "aCode".